Manuel Pégourié-Gonnard
fa44f20b9f
Change authmode default to Required on client
2015-03-27 17:52:25 +01:00
Manuel Pégourié-Gonnard
988209f934
Adapt to SSlv2 Hello disabled by default
2015-03-24 10:43:55 +01:00
Manuel Pégourié-Gonnard
ea0920f079
Adjust test scripts to new RC4 defaults
2015-03-24 10:14:23 +01:00
Manuel Pégourié-Gonnard
19db8eaf9b
Make tests/*.sh runnable from anywhere
2015-03-10 13:42:28 +00:00
Manuel Pégourié-Gonnard
7f8099773e
Rename include directory to mbedtls
2015-03-10 11:23:56 +00:00
Manuel Pégourié-Gonnard
8fe411e9c1
Avoid issue with OpenSSl in interop test
2015-03-09 16:09:53 +00:00
Manuel Pégourié-Gonnard
9699996f46
Add missing require_gnutls guards in ssl-opt.sh
2015-02-17 16:02:37 +00:00
Manuel Pégourié-Gonnard
f7d2bbaa62
Merge branch 'development' into dtls
...
* development:
Add missing guards for gnuTLS
Prepare for mbed TLS 1.3.10 release
Fix potential timing issue in RSA pms handling
Conflicts:
ChangeLog
doxygen/input/doc_mainpage.h
doxygen/mbedtls.doxyfile
include/polarssl/version.h
library/CMakeLists.txt
library/ssl_srv.c
tests/suites/test_suite_version.data
visualc/VS2010/mbedTLS.vcxproj
visualc/VS6/mbedtls.dsp
visualc/VS6/mbedtls.dsw
2015-02-09 11:42:40 +00:00
Paul Bakker
539d972a25
Add missing guards for gnuTLS
2015-02-08 16:18:35 +01:00
Manuel Pégourié-Gonnard
3bb0801a95
Add default/basic test for DTLS
2015-01-22 13:34:21 +00:00
Manuel Pégourié-Gonnard
3a173f497b
Merge branch 'development' into dtls
...
* development:
Fix error code description.
generate_errors.pl now errors on duplicate codes
Avoid nested if's without braces.
Move renego SCSV after actual ciphersuites
Fix send_close_notify usage.
Rename variable for clarity
Improve script portability
Conflicts:
library/ssl_srv.c
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
tests/ssl-opt.sh
2015-01-22 13:30:33 +00:00
Manuel Pégourié-Gonnard
dc370e4969
Improve script portability
2015-01-22 10:24:59 +00:00
Manuel Pégourié-Gonnard
23eb74d8b5
Fix issues with new defaults
2015-01-21 14:37:13 +00:00
Manuel Pégourié-Gonnard
67505bf9e8
Merge branch 'development' into dtls
...
* development:
Adapt tests to new defaults/errors.
Fix typos/cosmetics in Changelog
Disable RC4 by default in example programs.
Add ssl_set_arc4_support()
Set min version to TLS 1.0 in programs
Conflicts:
include/polarssl/ssl.h
library/ssl_cli.c
library/ssl_srv.c
tests/compat.sh
2015-01-21 13:57:33 +00:00
Manuel Pégourié-Gonnard
bfccdd3c92
Merge commit '36adc36' into dtls
...
* commit '36adc36':
Add support for getrandom()
Use library default for trunc-hmac in ssl_client2
Make truncated hmac a runtime option server-side
Fix portability issue in script
Specific error for suites in common but none good
Prefer SHA-1 certificates for pre-1.2 clients
Some more refactoring/tuning.
Minor refactoring
Conflicts:
include/polarssl/error.h
include/polarssl/ssl.h
library/error.c
2015-01-21 13:48:45 +00:00
Manuel Pégourié-Gonnard
0017c2be48
Merge commit '9835bc0' into dtls
...
* commit '9835bc0':
Fix racy test.
Fix stupid error in previous commit
Don't check errors on ssl_close_notify()
Fix char signedness issue
Fix issue with non-blocking I/O & record splitting
Fix warning
Conflicts:
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
2015-01-21 13:42:16 +00:00
Manuel Pégourié-Gonnard
8fbb01ec84
Merge commit 'b2eaac1' into dtls
...
* commit 'b2eaac1':
Stop assuming chars are signed
Add tests for CBC record splitting
Fix tests that were failing with record splitting
Allow disabling record splitting at runtime
Add 1/n-1 record splitting
Enhance doc on ssl_write()
Conflicts:
include/polarssl/ssl.h
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
2015-01-21 13:37:08 +00:00
Manuel Pégourié-Gonnard
0af1ba3521
Merge commit 'f6080b8' into dtls
...
* commit 'f6080b8':
Fix warning in reduced configs
Adapt to "negative" switch for renego
Add tests for periodic renegotiation
Make renego period configurable
Auto-renegotiate before sequence number wrapping
Update Changelog for compile-option renegotiation
Switch from an enable to a disable flag
Save 48 bytes if SSLv3 is not defined
Make renegotiation a compile-time option
Add tests for renego security enforcement
Conflicts:
include/polarssl/ssl.h
library/ssl_cli.c
library/ssl_srv.c
library/ssl_tls.c
programs/ssl/ssl_server2.c
tests/ssl-opt.sh
2015-01-21 11:54:33 +00:00
Manuel Pégourié-Gonnard
51d81661dc
Adapt tests to new defaults/errors.
2015-01-14 17:20:46 +01:00
Paul Bakker
5b8f7eaa3e
Merge new security defaults for programs (RC4 disabled, SSL3 disabled)
2015-01-14 16:26:54 +01:00
Paul Bakker
c82b7e2003
Merge option to disable truncated hmac on the server-side
2015-01-14 16:16:55 +01:00
Paul Bakker
e522d0fa57
Merge smarter certificate selection for pre-TLS-1.2 clients
2015-01-14 16:12:48 +01:00
Manuel Pégourié-Gonnard
9835bc077a
Fix racy test.
...
With exchanges == renego period, sometimes the connection will be closed by
the client before the server had time to read the ClientHello, making the test
fail. The extra exchange avoids that.
2015-01-14 14:41:58 +01:00
Manuel Pégourié-Gonnard
a852cf4833
Fix issue with non-blocking I/O & record splitting
2015-01-13 20:56:15 +01:00
Paul Bakker
f3561154ff
Merge support for 1/n-1 record splitting
2015-01-13 16:31:34 +01:00
Paul Bakker
f6080b8557
Merge support for enabling / disabling renegotiation support at compile-time
2015-01-13 16:18:23 +01:00
Paul Bakker
d9e2dd2bb0
Merge support for Encrypt-then-MAC
2015-01-13 14:23:56 +01:00
Manuel Pégourié-Gonnard
bd47a58221
Add ssl_set_arc4_support()
...
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Manuel Pégourié-Gonnard
a65d5082b6
Merge branch 'development' into dtls
...
* development:
Fix previous commit
Allow flexible location of valgrind
Fix test scripts portability issues
Fix Gnu-ism in script
Conflicts:
tests/ssl-opt.sh
2015-01-12 14:54:55 +01:00
Paul Bakker
54b1a8fa4d
Merge support for Extended Master Secret (session-hash)
2015-01-12 14:14:07 +01:00
Paul Bakker
b52b015c0b
Merge support for FALLBACK_SCSV
2015-01-12 14:07:59 +01:00
Manuel Pégourié-Gonnard
448ea506bf
Set min version to TLS 1.0 in programs
2015-01-12 12:32:04 +01:00
Manuel Pégourié-Gonnard
e117a8fc0d
Make truncated hmac a runtime option server-side
...
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
2015-01-09 12:52:20 +01:00
Manuel Pégourié-Gonnard
f01768c55e
Specific error for suites in common but none good
2015-01-08 17:06:16 +01:00
Manuel Pégourié-Gonnard
df331a55d2
Prefer SHA-1 certificates for pre-1.2 clients
2015-01-08 16:43:07 +01:00
Manuel Pégourié-Gonnard
3ff78239fe
Add tests for CBC record splitting
2015-01-08 11:15:09 +01:00
Manuel Pégourié-Gonnard
c82ee3555f
Fix tests that were failing with record splitting
2015-01-07 16:39:10 +01:00
Manuel Pégourié-Gonnard
f46f128f4a
Fix test scripts portability issues
2014-12-11 17:26:09 +01:00
Manuel Pégourié-Gonnard
590f416142
Add tests for periodic renegotiation
2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
85d915b81d
Add tests for renego security enforcement
2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
f9d778d635
Merge branch 'etm' into dtls
...
* etm:
Fix warning in reduced config
Update Changelog for EtM
Keep EtM state across renegotiations
Adjust minimum length for EtM
Don't send back EtM extension if not using CBC
Fix for the RFC erratum
Implement EtM
Preparation for EtM
Implement initial negotiation of EtM
Conflicts:
include/polarssl/check_config.h
2014-11-06 01:36:32 +01:00
Manuel Pégourié-Gonnard
56d985d0a6
Merge branch 'session-hash' into dtls
...
* session-hash:
Update Changelog for session-hash
Make session-hash depend on TLS versions
Forbid extended master secret with SSLv3
compat.sh: allow git version of gnutls
compat.sh: make options a bit more robust
Implement extended master secret
Add negotiation of Extended Master Secret
Conflicts:
include/polarssl/check_config.h
programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard
fedba98ede
Merge branch 'fb-scsv' into dtls
...
* fb-scsv:
Update Changelog for FALLBACK_SCSV
Implement FALLBACK_SCSV server-side
Implement FALLBACK_SCSV client-side
2014-11-05 16:12:09 +01:00
Manuel Pégourié-Gonnard
b575b54cb9
Forbid extended master secret with SSLv3
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
169dd6a514
Adjust minimum length for EtM
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
78e745fc0a
Don't send back EtM extension if not using CBC
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
0098e7dc70
Preparation for EtM
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
699cafaea2
Implement initial negotiation of EtM
...
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
01b2699198
Implement FALLBACK_SCSV server-side
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
1cbd39dbeb
Implement FALLBACK_SCSV client-side
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
367381fddd
Add negotiation of Extended Master Secret
...
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
a6ace04c5c
Test for lost HelloRequest
2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard
f1384470bf
Avoid spurious timeout in ssl-opt.sh
2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard
74a1378175
Avoid false positive in ssl-opt.sh with memcheck
2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard
e698f59a25
Add tests for ssl_set_dtls_badmac_limit()
2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard
caecdaed25
Cosmetics in ssl_server2 & complete tests for HVR
2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
37e08e1689
Fix max_fragment_length with DTLS
2014-10-21 16:32:53 +02:00
Manuel Pégourié-Gonnard
127ab88dba
Give more time to lossy tests with normal timers
2014-10-21 16:32:51 +02:00
Manuel Pégourié-Gonnard
ba958b8bdc
Add test for server-initiated renego
...
Just assuming the HelloRequest isn't lost for now
2014-10-21 16:32:50 +02:00
Manuel Pégourié-Gonnard
85beb30b11
Add test for resumption with non-blocking I/O
2014-10-21 16:32:48 +02:00
Manuel Pégourié-Gonnard
a59af05dce
Give more time to tests that time out too often
2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard
7a26d73735
Add test for session resumption
2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard
df9a0a8460
Drop unexpected ApplicationData
...
This is likely to happen on resumption if client speaks first at the
application level.
2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard
37a4de2cec
Use shorter timeouts in ssl-opt.sh proxy tests
2014-10-21 16:32:44 +02:00
Manuel Pégourié-Gonnard
6093d81c20
Add tests with proxy and non-blocking I/O
2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
579950c2bb
Fix bug with non-blocking I/O and cookies
2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
bd97fdb3a4
Make ssl_server2's HVR handling more realistic
...
It makes not sense to keep the connection open until the client is verified.
Until now it was useful since closing it crates a race where the second
ClientHello might be lost. But now that our client is able to resend, that's
not an issue any more.
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
7a66cbca75
Rm some redundant tests
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
9590e0a176
Add proxy tests with gnutls-srv & fragmentation
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
fa60f128d6
Quit using "yes" in ssl-opt.sh with openssl
...
It caused s_server to send an AppData record of 16Kb every millisecond or so,
which destroyed readability of the proxy and client logs.
2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard
08a1d4bce1
Fix bug with client auth with DTLS
2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard
d0fd1daa6b
Add test with proxy and openssl server
2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard
1b753f1e27
Add test for renego with proxy
2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard
18e519a660
Add proxy tests with more handshake flows
2014-10-21 16:32:37 +02:00
Manuel Pégourié-Gonnard
76fe9e41c1
Test that anti-replay ignores all duplicates
2014-10-21 16:32:36 +02:00
Manuel Pégourié-Gonnard
2739313cea
Make anti-replay a runtime option
2014-10-21 16:32:35 +02:00
Manuel Pégourié-Gonnard
246c13a05f
Fix epoch checking
2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard
b47368a00a
Add replay detection
2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard
825a49ed7c
Add more udp_proxy tests
2014-10-21 16:32:32 +02:00
Manuel Pégourié-Gonnard
a6189f0fb0
udp_proxy wasn't actually killed
2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard
a0719727da
Add tests with dropped packets
2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard
63eca930d7
Drop invalid records with DTLS
2014-10-21 16:30:28 +02:00
Manuel Pégourié-Gonnard
990f9e428a
Handle late handshake messages gracefully
2014-10-21 16:30:26 +02:00
Manuel Pégourié-Gonnard
be9eb877f7
Adapt ssl-opt.sh to allow using udp_proxy in tests
2014-10-21 16:30:25 +02:00
Manuel Pégourié-Gonnard
0a65934ef3
Re-enable valgrind for all tests
...
Now we can handle duplicated messages due to the peer re-sending (due to us
being soooo slow with valgrind)
2014-10-21 16:30:24 +02:00
Manuel Pégourié-Gonnard
0c4cbc7895
Add test for fragmentation + renego with GnuTLS
2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
f1499f602e
Add interop testing for renego with GnuTLS
2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
77b0b8d100
Disable some tests with valgrind for now
2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
64dffc5d14
Make handshake reassembly work with openssl
2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
a77561765f
Add test with openssl with DTLS in ssl-opt.sh
2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
502bf30fb5
Handle reassembly of handshake messages
...
Works only with GnuTLS for now, OpenSSL packs other records in the same
datagram after the last fragmented one, which we don't handle yet.
Also, ssl-opt.sh fails the tests with valgrind for now: we're so slow with
valgrind that gnutls-serv retransmits some messages, and we don't handle
duplicated messages yet.
2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
c392b240c4
Fix server-initiated renegotiation with DTLS
2014-10-21 16:30:21 +02:00
Manuel Pégourié-Gonnard
30d16eb429
Fix client-initiated renegotiation with DTLS
2014-10-21 16:30:20 +02:00
Manuel Pégourié-Gonnard
0eb6cab979
Add DTLS cookies test to ssl-opt.sh
2014-10-21 16:30:19 +02:00
Manuel Pégourié-Gonnard
7fa67728ad
Scripts print more info on failure within buildbot
2014-08-31 17:42:53 +02:00
Manuel Pégourié-Gonnard
c2b0092a1b
Fix leaving around temporary file in ssl-opt.sh
2014-08-31 17:17:36 +02:00
Manuel Pégourié-Gonnard
72e51ee7be
Use arithmetic expansion in scripts, avoid bashisms
2014-08-31 10:22:11 +02:00
Manuel Pégourié-Gonnard
c0f6a692fb
Add client timeout to ssl-opt.sh and compat.sh
2014-08-30 22:59:55 +02:00
Manuel Pégourié-Gonnard
a4afadfccd
Fix bug in OpenSSL v2 support testing
2014-08-30 22:09:36 +02:00
Manuel Pégourié-Gonnard
644e8f377d
Adapt debug_level in ssl-opt.sh to new levels
...
The meaning of debug_level was shift by one during the last debug overhaul.
(The new one is more rational, previously debug_level=1 didn't do anything.)
2014-08-30 21:59:31 +02:00